Andrew Shikiar, FIDO Alliance Executive Director & CEO
In a significant move to bolster software security, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigations have released new guidance that organizations can use to demand better security from their software vendors.
The Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem underscores the pivotal role that software customers play in digital supply chain security. The guide outlines high-priority security requirements from the earliest stages of software development, a principle central to creating “secure by design” products.
Among the items highlighted are phishing-resistant authentication methods, such as passkeys, as a default feature in software products. Announced on Tuesday, August 6, 2024, at Black Hat USA, this new guidance represents a vital step forward in securing the digital supply chain in the United States and worldwide.
Secure by Demand, Secure by Design
This new guidance complements CISA’s recent Secure by Design Guide aimed at technology manufacturers to improve their software product security. By focusing on the procurement aspect in the supply chain, the new guidance advises software buyers to demand modern security features from technology manufacturers, such as phishing-resistant authentication and passkeys. By doing so, customers can drive demand for security as a baseline feature and compel technology manufacturers to adhere to secure design practices.
The guidance also includes an assessment to evaluate software security and include security requirements in contracts. It encourages a proactive procurement approach, where a buyer can assess a manufacturer’s security and capabilities to reduce vulnerabilities and strengthen resilience. The guide establishes best practices for secure software procurement and highlights the product security features that bolster supply chain security and interoperability.
Passkeys Take Center Stage
CISA’s guidance aligns with the recent guidance from the National Institute of Standards and Technology (NIST) in their digital identity guidelines on authentication and lifecycle management. In supplemental guidance, NIST SP 800-63Bsup1, NIST affirmed that synced passkeys meet Authentication Assurance Level 2 (AAL2) requirements and device-bound passkeys satisfy Authentication Assurance Level 3 (AAL3). The two guidance documents emphasize the importance of security, including digital identity and authentication best practices, across the digital supply chain.
The Secure by Demand guidance empowers IT buyers, who can drive market demand for secure software features, such as passkeys and FIDO authentication. Given that weak or stolen passwords account for 80% of hacking-related breaches and credential phishing has skyrocketed by 967% since 2022, buyers can use the guide’s security assessment to evaluate software security, including passkey capabilities, and improve security risk management in the supply chain. With this guidance, CISA aims to increase awareness and drive market demand for secure software.
Key Recommendations for Software Manufacturers
CISA’s Secure by Demand guide outlines several critical requirements that customers should evaluate when procuring software, and includes questions to assess a software manufacturer’s security capabilities in the following areas:
- Authentication: Manufacturers should support secure, standards-based Single Sign-On (SSO) and implement phishing-resistant multi-factor authentication (MFA) or passkeys — by default, and at no extra cost.
- Eliminating Vulnerabilities: Systematic efforts should be made to address and prevent classes of software defects, such as SQL injection and cross-site scripting vulnerabilities.
- Secure Defaults: Security logs should be provided to customers without additional charges, ensuring transparency and accountability in software security.
- Supply Chain Security: Ensuring the provenance of third-party dependencies via Software Bill of Materials (SBOM) and robust processes for integrating open-source components are vital.
- Vulnerability Disclosure: Transparency and timely reporting of vulnerabilities, including authorization for security testing by the public, is crucial for maintaining trust and improving security outcomes.
A Call to Action for Security Leaders
The guidance for those manufacturing or procuring software across the software supply chain is clear: passkeys improve third-party supply chains and ensure higher security standards in software procurement and development processes. By integrating passkeys into authentication processes, organizations can strengthen end-to-end digital identity lifecycle management and significantly reduce the risks of phishing and social engineering attacks.
To learn more about CISA’s Secure by Demand guidance, visit https://www.cisa.gov/resources-tools/resources/secure-demand-guide.
Ready to go passwordless? Learn how to implement passkeys or find a passkey deployment partner using the FIDO Certified Directory and FIDO Certified Member Showcase.
